health: disable TLS restriction for health check

Removes TLS restriction on health endpoint when termination is set - closes #586
ory · Sep 26, 2017 · 49cad75 · 49cad75
1 parent 89d429e
commit 49cad75
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 10 deletions.
diff --git a/config/config.go b/config/config.go
@@ -128,6 +128,10 @@ func (c *Config) DoesRequestSatisfyTermination(r *http.Request) error {
 		return errors.New("TLS termination is not enabled")
 	}
 
+	if r.URL.Path == "/health" {
+		return nil
+	}
+
 	ranges := strings.Split(c.AllowTLSTermination, ",")
 	if err := matchesRange(r, ranges); err != nil {
 		return err

diff --git a/config/config_test.go b/config/config_test.go
@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/assert"
+	"net/url"
 )
 
 func TestConfig(t *testing.T) {
@@ -19,26 +20,33 @@ func TestConfig(t *testing.T) {
 
 func TestDoesRequestSatisfyTermination(t *testing.T) {
 	c := &Config{AllowTLSTermination: ""}
-	assert.NotNil(t, c.DoesRequestSatisfyTermination(new(http.Request)))
+	assert.Error(t, c.DoesRequestSatisfyTermination(new(http.Request)))
 
 	c = &Config{AllowTLSTermination: "127.0.0.1/24"}
 	r := &http.Request{Header: http.Header{}}
-	assert.NotNil(t, c.DoesRequestSatisfyTermination(r))
+	assert.Error(t, c.DoesRequestSatisfyTermination(r))
 
 	r = &http.Request{Header: http.Header{"X-Forwarded-Proto": []string{"http"}}}
-	assert.NotNil(t, c.DoesRequestSatisfyTermination(r))
+	assert.Error(t, c.DoesRequestSatisfyTermination(r))
 
 	r = &http.Request{
 		RemoteAddr: "227.0.0.1:123",
 		Header:     http.Header{"X-Forwarded-Proto": []string{"https"}},
 	}
-	assert.NotNil(t, c.DoesRequestSatisfyTermination(r))
+	assert.Error(t, c.DoesRequestSatisfyTermination(r))
 
 	r = &http.Request{
 		RemoteAddr: "127.0.0.1:123",
 		Header:     http.Header{"X-Forwarded-Proto": []string{"https"}},
 	}
-	assert.Nil(t, c.DoesRequestSatisfyTermination(r))
+	assert.NoError(t, c.DoesRequestSatisfyTermination(r))
+
+	r = &http.Request{
+		RemoteAddr: "127.0.0.1:123",
+		Header:     http.Header{"X-Forwarded-Proto": []string{"https"}},
+		URL: &url.URL{			Path: "/health"		},
+	}
+	assert.NoError(t, c.DoesRequestSatisfyTermination(r))
 }
 
 func TestSystemSecret(t *testing.T) {

diff --git a/health/doc.go b/health/doc.go
@@ -1,8 +1,11 @@
 package health
 
 // A list of clients.
-// swagger:response clientsList
+// swagger:response healthStatus
 type swaggerListClientsResult struct {
 	// in: body
-	Body struct{}
+	Body struct{
+		// Status always contains "ok"
+		Status string `json:"status"`
+	}
 }
diff --git a/health/handler.go b/health/handler.go
@@ -24,17 +24,21 @@ func (h *Handler) SetRoutes(r *httprouter.Router) {
 //
 // Check health status of instance
 //
+// This endpoint does not require the `X-Forwarded-Proto` header when TLS termination is set.
+//
 //     Responses:
-//       204: emptyResponse
+//       200: healthStatus
 //       500: genericError
 func (h *Handler) Health(rw http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-	rw.Write([]byte("ok"))
+	rw.Write([]byte(`{"status": "ok"}`))
 }
 
 // swagger:route GET /health/stats health getStatistics
 //
 // Show instance statistics
 //
+// This endpoint returns information on the instance's health. It is currently not documented.
+//
 // The subject making the request needs to be assigned to a policy containing:
 //
 // ```
@@ -57,7 +61,7 @@ func (h *Handler) Health(rw http.ResponseWriter, r *http.Request, _ httprouter.P
 //       oauth2: hydra.health
 //
 //     Responses:
-//       200: clientsList
+//       200: emptyResponse
 //       401: genericError
 //       403: genericError
 //       500: genericError